[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=922768&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-922768 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 10/Jun/24 06:34 Start Date: 10/Jun/24 06:34 Worklog Time Spent: 10m Work Description: lukaszlenart merged PR #240: URL: https://github.com/apache/struts-site/pull/240 Issue Time Tracking --- Worklog Id: (was: 922768) Time Spent: 4h 40m (was: 4.5h) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 4h 40m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=922766&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-922766 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 10/Jun/24 06:27 Start Date: 10/Jun/24 06:27 Worklog Time Spent: 10m Work Description: asf-ci commented on PR #240: URL: https://github.com/apache/struts-site/pull/240#issuecomment-2157426725 Staged site is ready at https://struts.staged.apache.org/ Issue Time Tracking --- Worklog Id: (was: 922766) Time Spent: 4.5h (was: 4h 20m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 4.5h > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=922765&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-922765 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 10/Jun/24 06:16 Start Date: 10/Jun/24 06:16 Worklog Time Spent: 10m Work Description: asf-ci commented on PR #240: URL: https://github.com/apache/struts-site/pull/240#issuecomment-2157400709 Staged site is ready at https://struts.staged.apache.org/ Issue Time Tracking --- Worklog Id: (was: 922765) Time Spent: 4h 20m (was: 4h 10m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 4h 20m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=922764&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-922764 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 10/Jun/24 06:10 Start Date: 10/Jun/24 06:10 Worklog Time Spent: 10m Work Description: lukaszlenart opened a new pull request, #240: URL: https://github.com/apache/struts-site/pull/240 (no comment) Issue Time Tracking --- Worklog Id: (was: 922764) Time Spent: 4h 10m (was: 4h) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 4h 10m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=922763&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-922763 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 10/Jun/24 06:03 Start Date: 10/Jun/24 06:03 Worklog Time Spent: 10m Work Description: lukaszlenart merged PR #239: URL: https://github.com/apache/struts-site/pull/239 Issue Time Tracking --- Worklog Id: (was: 922763) Time Spent: 4h (was: 3h 50m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 4h > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=922762&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-922762 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 10/Jun/24 06:02 Start Date: 10/Jun/24 06:02 Worklog Time Spent: 10m Work Description: lukaszlenart opened a new pull request, #239: URL: https://github.com/apache/struts-site/pull/239 Refs [WW-5400](https://issues.apache.org/jira/browse/WW-5400) Issue Time Tracking --- Worklog Id: (was: 922762) Time Spent: 3h 50m (was: 3h 40m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 3h 50m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=922761&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-922761 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 10/Jun/24 06:02 Start Date: 10/Jun/24 06:02 Worklog Time Spent: 10m Work Description: lukaszlenart closed pull request #239: WW-5400 Documents how to use cspSettingsClassName parameter URL: https://github.com/apache/struts-site/pull/239 Issue Time Tracking --- Worklog Id: (was: 922761) Time Spent: 3h 40m (was: 3.5h) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 3h 40m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=922758&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-922758 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 10/Jun/24 05:32 Start Date: 10/Jun/24 05:32 Worklog Time Spent: 10m Work Description: lukaszlenart opened a new pull request, #239: URL: https://github.com/apache/struts-site/pull/239 Refs [WW-5400](https://issues.apache.org/jira/browse/WW-5400) Issue Time Tracking --- Worklog Id: (was: 922758) Time Spent: 3.5h (was: 3h 20m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 3.5h > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=922757&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-922757 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 10/Jun/24 05:32 Start Date: 10/Jun/24 05:32 Worklog Time Spent: 10m Work Description: lukaszlenart closed pull request #239: WW-5400 Documents how to use cspSettingsClassName parameter URL: https://github.com/apache/struts-site/pull/239 Issue Time Tracking --- Worklog Id: (was: 922757) Time Spent: 3h 20m (was: 3h 10m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 3h 20m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=922756&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-922756 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 10/Jun/24 05:28 Start Date: 10/Jun/24 05:28 Worklog Time Spent: 10m Work Description: lukaszlenart opened a new pull request, #239: URL: https://github.com/apache/struts-site/pull/239 Refs [WW-5400](https://issues.apache.org/jira/browse/WW-5400) Issue Time Tracking --- Worklog Id: (was: 922756) Time Spent: 3h 10m (was: 3h) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 3h 10m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=922755&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-922755 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 10/Jun/24 05:28 Start Date: 10/Jun/24 05:28 Worklog Time Spent: 10m Work Description: lukaszlenart closed pull request #239: WW-5400 Documents how to use cspSettingsClassName parameter URL: https://github.com/apache/struts-site/pull/239 Issue Time Tracking --- Worklog Id: (was: 922755) Time Spent: 3h (was: 2h 50m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 3h > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=922753&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-922753 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 10/Jun/24 05:10 Start Date: 10/Jun/24 05:10 Worklog Time Spent: 10m Work Description: lukaszlenart opened a new pull request, #239: URL: https://github.com/apache/struts-site/pull/239 Refs [WW-5400](https://issues.apache.org/jira/browse/WW-5400) Issue Time Tracking --- Worklog Id: (was: 922753) Time Spent: 2h 50m (was: 2h 40m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 2h 50m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=922751&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-922751 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 10/Jun/24 05:02 Start Date: 10/Jun/24 05:02 Worklog Time Spent: 10m Work Description: lukaszlenart merged PR #956: URL: https://github.com/apache/struts/pull/956 Issue Time Tracking --- Worklog Id: (was: 922751) Time Spent: 2h 40m (was: 2.5h) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 2h 40m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=922279&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-922279 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 06/Jun/24 04:38 Start Date: 06/Jun/24 04:38 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #956: URL: https://github.com/apache/struts/pull/956#issuecomment-2151397853 ## [](https://sonarcloud.io/dashboard?id=apache_struts&pullRequest=956) **Quality Gate passed** Issues  [0 New issues](https://sonarcloud.io/project/issues?id=apache_struts&pullRequest=956&resolved=false&sinceLeakPeriod=true)  [0 Accepted issues](https://sonarcloud.io/project/issues?id=apache_struts&pullRequest=956&resolutions=WONTFIX) Measures  [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts&pullRequest=956&resolved=false&sinceLeakPeriod=true)  [100.0% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts&pullRequest=956&metric=new_coverage&view=list)  [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts&pullRequest=956&metric=new_duplicated_lines_density&view=list) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts&pullRequest=956) Issue Time Tracking --- Worklog Id: (was: 922279) Time Spent: 2.5h (was: 2h 20m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 2.5h > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[
https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=922275&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-922275
]
ASF GitHub Bot logged work on WW-5400:
--
Author: ASF GitHub Bot
Created on: 06/Jun/24 03:54
Start Date: 06/Jun/24 03:54
Worklog Time Spent: 10m
Work Description: kusalk commented on code in PR #956:
URL: https://github.com/apache/struts/pull/956#discussion_r1628741666
##
core/src/main/java/org/apache/struts2/interceptor/csp/CspInterceptor.java:
##
@@ -57,26 +59,28 @@ public String intercept(ActionInvocation invocation) throws
Exception {
LOG.trace("Using CspSettings provided by the action: {}", action);
applySettings(invocation, ((CspSettingsAware)
action).getCspSettings());
} else {
-LOG.trace("Using {} with action: {}", defaultCspSettingsClassName,
action);
+LOG.trace("Using {} with action: {}", cspSettingsClassName,
action);
+CspSettings cspSettings = createCspSettings(invocation);
+applySettings(invocation, cspSettings);
+}
+return invocation.invoke();
+}
-// if the defaultCspSettingsClassName is not a real class, throw
an exception
-try {
-Class.forName(defaultCspSettingsClassName, false,
Thread.currentThread().getContextClassLoader());
-}
-catch (ClassNotFoundException e) {
-throw new IllegalArgumentException("The
defaultCspSettingsClassName must be a real class.");
-}
+private CspSettings createCspSettings(ActionInvocation invocation) throws
ClassNotFoundException {
+Class cspSettingsClass;
-// if defaultCspSettingsClassName does not implement CspSettings,
throw an exception
-if
(!CspSettings.class.isAssignableFrom(Class.forName(defaultCspSettingsClassName)))
{
-throw new IllegalArgumentException("The
defaultCspSettingsClassName must implement CspSettings.");
-}
+try {
+cspSettingsClass = ClassLoaderUtil.loadClass(cspSettingsClassName,
getClass());
+} catch (ClassNotFoundException e) {
+throw new ConfigurationException(String.format("The class %s
doesn't exist!", cspSettingsClassName));
+}
-CspSettings cspSettings = (CspSettings)
Class.forName(defaultCspSettingsClassName)
-.getDeclaredConstructor().newInstance();
-applySettings(invocation, cspSettings);
+if
(!CspSettings.class.isAssignableFrom(Class.forName(cspSettingsClassName))) {
Review Comment:
```suggestion
if (!CspSettings.class.isAssignableFrom(cspSettingsClass)) {
```
Issue Time Tracking
---
Worklog Id: (was: 922275)
Time Spent: 2h 20m (was: 2h 10m)
> CSP interceptor only allows very limited configuration
> --
>
> Key: WW-5400
> URL: https://issues.apache.org/jira/browse/WW-5400
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
>Affects Versions: 6.3.0
>Reporter: Erica Kane
>Assignee: Lukasz Lenart
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> I have been trying to implement CSP on our website. The CSP interceptor
> provides an elegant solution with the and tags. However,
> I want to set my own base-uri. And perhaps make some other changes to the CSP
> headers.
> But these values are not accessible. Only the report-only and report-uri can
> be changed. Even if one is willing to work at the Action level and implement
> a new interface for all of them, I can't change the base-uri. I've seen
> people on Stack Overflow disable it for this reason. I want to use it, but
> could someone please explain how to set the base-uri globally? If not, I will
> likely have to make my own.
> P.S. I will update the documentation page. Nowhere in the description of the
> interceptor does it mention the script and link tags, and without those, it
> is useless!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=922080&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-922080 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 05/Jun/24 05:46 Start Date: 05/Jun/24 05:46 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #956: URL: https://github.com/apache/struts/pull/956#issuecomment-2148906410 ## [](https://sonarcloud.io/dashboard?id=apache_struts&pullRequest=956) **Quality Gate passed** Issues  [0 New issues](https://sonarcloud.io/project/issues?id=apache_struts&pullRequest=956&resolved=false&sinceLeakPeriod=true)  [0 Accepted issues](https://sonarcloud.io/project/issues?id=apache_struts&pullRequest=956&resolutions=WONTFIX) Measures  [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts&pullRequest=956&resolved=false&sinceLeakPeriod=true)  [100.0% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts&pullRequest=956&metric=new_coverage&view=list)  [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts&pullRequest=956&metric=new_duplicated_lines_density&view=list) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts&pullRequest=956) Issue Time Tracking --- Worklog Id: (was: 922080) Time Spent: 2h 10m (was: 2h) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 2h 10m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=922079&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-922079 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 05/Jun/24 05:45 Start Date: 05/Jun/24 05:45 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #956: URL: https://github.com/apache/struts/pull/956#issuecomment-2148904765 ## [](https://sonarcloud.io/dashboard?id=apache_struts&pullRequest=956) **Quality Gate passed** Issues  [0 New issues](https://sonarcloud.io/project/issues?id=apache_struts&pullRequest=956&resolved=false&sinceLeakPeriod=true)  [0 Accepted issues](https://sonarcloud.io/project/issues?id=apache_struts&pullRequest=956&resolutions=WONTFIX) Measures  [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts&pullRequest=956&resolved=false&sinceLeakPeriod=true)  [100.0% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts&pullRequest=956&metric=new_coverage&view=list)  [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts&pullRequest=956&metric=new_duplicated_lines_density&view=list) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts&pullRequest=956) Issue Time Tracking --- Worklog Id: (was: 922079) Time Spent: 2h (was: 1h 50m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 2h > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=922076&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-922076 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 05/Jun/24 05:39 Start Date: 05/Jun/24 05:39 Worklog Time Spent: 10m Work Description: lukaszlenart commented on PR #956: URL: https://github.com/apache/struts/pull/956#issuecomment-2148898785 /cc: @eschulma Issue Time Tracking --- Worklog Id: (was: 922076) Time Spent: 1h 50m (was: 1h 40m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 50m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=922075&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-922075 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 05/Jun/24 05:38 Start Date: 05/Jun/24 05:38 Worklog Time Spent: 10m Work Description: lukaszlenart opened a new pull request, #956: URL: https://github.com/apache/struts/pull/956 Small refactoring of how `CspSettings` class is created plus additional tests. See #913 for more details. Closes [WW-5400](https://issues.apache.org/jira/browse/WW-5400) Issue Time Tracking --- Worklog Id: (was: 922075) Time Spent: 1h 40m (was: 1.5h) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 40m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=918896&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918896 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 11/May/24 04:36 Start Date: 11/May/24 04:36 Worklog Time Spent: 10m Work Description: lukaszlenart merged PR #913: URL: https://github.com/apache/struts/pull/913 Issue Time Tracking --- Worklog Id: (was: 918896) Time Spent: 1.5h (was: 1h 20m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1.5h > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[
https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=916761&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-916761
]
ASF GitHub Bot logged work on WW-5400:
--
Author: ASF GitHub Bot
Created on: 28/Apr/24 14:41
Start Date: 28/Apr/24 14:41
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on code in PR #913:
URL: https://github.com/apache/struts/pull/913#discussion_r1582193457
##
core/src/main/java/org/apache/struts2/interceptor/csp/CspInterceptor.java:
##
@@ -54,8 +57,24 @@ public String intercept(ActionInvocation invocation) throws
Exception {
LOG.trace("Using CspSettings provided by the action: {}", action);
applySettings(invocation, ((CspSettingsAware)
action).getCspSettings());
} else {
-LOG.trace("Using DefaultCspSettings with action: {}", action);
-applySettings(invocation, new DefaultCspSettings());
+LOG.trace("Using {} with action: {}", defaultCspSettingsClassName,
action);
+
+// if the defaultCspSettingsClassName is not a real class, throw
an exception
+try {
+Class.forName(defaultCspSettingsClassName, false,
Thread.currentThread().getContextClassLoader());
+}
+catch (ClassNotFoundException e) {
+throw new IllegalArgumentException("The
defaultCspSettingsClassName must be a real class.");
+}
+
+// if defaultCspSettingsClassName does not implement CspSettings,
throw an exception
+if
(!CspSettings.class.isAssignableFrom(Class.forName(defaultCspSettingsClassName)))
{
+throw new IllegalArgumentException("The
defaultCspSettingsClassName must implement CspSettings.");
+}
+
+CspSettings cspSettings = (CspSettings)
Class.forName(defaultCspSettingsClassName)
+.getDeclaredConstructor().newInstance();
+applySettings(invocation, cspSettings);
Review Comment:
I wonder if we can move this code into `init()` method of the interceptor as
right now a new instance is created per each invocation
Issue Time Tracking
---
Worklog Id: (was: 916761)
Time Spent: 1h 20m (was: 1h 10m)
> CSP interceptor only allows very limited configuration
> --
>
> Key: WW-5400
> URL: https://issues.apache.org/jira/browse/WW-5400
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
>Affects Versions: 6.3.0
>Reporter: Erica Kane
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> I have been trying to implement CSP on our website. The CSP interceptor
> provides an elegant solution with the and tags. However,
> I want to set my own base-uri. And perhaps make some other changes to the CSP
> headers.
> But these values are not accessible. Only the report-only and report-uri can
> be changed. Even if one is willing to work at the Action level and implement
> a new interface for all of them, I can't change the base-uri. I've seen
> people on Stack Overflow disable it for this reason. I want to use it, but
> could someone please explain how to set the base-uri globally? If not, I will
> likely have to make my own.
> P.S. I will update the documentation page. Nowhere in the description of the
> interceptor does it mention the script and link tags, and without those, it
> is useless!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[
https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914447&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914447
]
ASF GitHub Bot logged work on WW-5400:
--
Author: ASF GitHub Bot
Created on: 12/Apr/24 17:42
Start Date: 12/Apr/24 17:42
Worklog Time Spent: 10m
Work Description: eschulma commented on code in PR #913:
URL: https://github.com/apache/struts/pull/913#discussion_r1562942223
##
core/src/main/java/org/apache/struts2/interceptor/csp/CspSettings.java:
##
@@ -56,6 +57,11 @@ public interface CspSettings {
*/
void setReportUri(String uri);
+/**
+ * Sets the report group where csp violation reports will be sent
+ */
Review Comment:
Done
Issue Time Tracking
---
Worklog Id: (was: 914447)
Time Spent: 1h 10m (was: 1h)
> CSP interceptor only allows very limited configuration
> --
>
> Key: WW-5400
> URL: https://issues.apache.org/jira/browse/WW-5400
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
>Affects Versions: 6.3.0
>Reporter: Erica Kane
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> I have been trying to implement CSP on our website. The CSP interceptor
> provides an elegant solution with the and tags. However,
> I want to set my own base-uri. And perhaps make some other changes to the CSP
> headers.
> But these values are not accessible. Only the report-only and report-uri can
> be changed. Even if one is willing to work at the Action level and implement
> a new interface for all of them, I can't change the base-uri. I've seen
> people on Stack Overflow disable it for this reason. I want to use it, but
> could someone please explain how to set the base-uri globally? If not, I will
> likely have to make my own.
> P.S. I will update the documentation page. Nowhere in the description of the
> interceptor does it mention the script and link tags, and without those, it
> is useless!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[
https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914446&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914446
]
ASF GitHub Bot logged work on WW-5400:
--
Author: ASF GitHub Bot
Created on: 12/Apr/24 17:41
Start Date: 12/Apr/24 17:41
Worklog Time Spent: 10m
Work Description: eschulma commented on code in PR #913:
URL: https://github.com/apache/struts/pull/913#discussion_r1562941786
##
core/src/main/java/org/apache/struts2/interceptor/csp/CspInterceptor.java:
##
@@ -124,4 +153,11 @@ public void setPrependServletContext(boolean
prependServletContext) {
this.prependServletContext = prependServletContext;
}
-}
+/**
+ * Sets the class name of the default {@link CspSettings} implementation
to use when the action does not
+ * set its own values. If not set, the default is {@link
DefaultCspSettings}.
+ */
Review Comment:
Done
Issue Time Tracking
---
Worklog Id: (was: 914446)
Time Spent: 1h (was: 50m)
> CSP interceptor only allows very limited configuration
> --
>
> Key: WW-5400
> URL: https://issues.apache.org/jira/browse/WW-5400
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
>Affects Versions: 6.3.0
>Reporter: Erica Kane
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> I have been trying to implement CSP on our website. The CSP interceptor
> provides an elegant solution with the and tags. However,
> I want to set my own base-uri. And perhaps make some other changes to the CSP
> headers.
> But these values are not accessible. Only the report-only and report-uri can
> be changed. Even if one is willing to work at the Action level and implement
> a new interface for all of them, I can't change the base-uri. I've seen
> people on Stack Overflow disable it for this reason. I want to use it, but
> could someone please explain how to set the base-uri globally? If not, I will
> likely have to make my own.
> P.S. I will update the documentation page. Nowhere in the description of the
> interceptor does it mention the script and link tags, and without those, it
> is useless!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[
https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914318&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914318
]
ASF GitHub Bot logged work on WW-5400:
--
Author: ASF GitHub Bot
Created on: 12/Apr/24 05:34
Start Date: 12/Apr/24 05:34
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on code in PR #913:
URL: https://github.com/apache/struts/pull/913#discussion_r1562033229
##
core/src/main/java/org/apache/struts2/interceptor/csp/CspInterceptor.java:
##
@@ -124,4 +153,11 @@ public void setPrependServletContext(boolean
prependServletContext) {
this.prependServletContext = prependServletContext;
}
-}
+/**
+ * Sets the class name of the default {@link CspSettings} implementation
to use when the action does not
+ * set its own values. If not set, the default is {@link
DefaultCspSettings}.
+ */
+public void setDefaultCspSettingsClassName(String
defaultCspSettingsClassName) {
+this.defaultCspSettingsClassName = defaultCspSettingsClassName;
+}
Review Comment:
You can use Struts inject mechanism instead of using raw class and creating
the instance by yourself. It's all about defining a `` and then annotating the setter with
`@Inject("customCspSettings")`.
I assume you never played with Struts @Inject, so let's leave it as is and I
will change that in the next PR.
##
core/src/main/java/org/apache/struts2/interceptor/csp/CspInterceptor.java:
##
@@ -124,4 +153,11 @@ public void setPrependServletContext(boolean
prependServletContext) {
this.prependServletContext = prependServletContext;
}
-}
+/**
+ * Sets the class name of the default {@link CspSettings} implementation
to use when the action does not
+ * set its own values. If not set, the default is {@link
DefaultCspSettings}.
+ */
Review Comment:
Please add `@since Struts 6.5.0`
[annotation](https://www.oracle.com/pl/technical-resources/articles/java/javadoc-tool.html#@since)
##
core/src/main/java/org/apache/struts2/interceptor/csp/CspSettings.java:
##
@@ -56,6 +57,11 @@ public interface CspSettings {
*/
void setReportUri(String uri);
+/**
+ * Sets the report group where csp violation reports will be sent
+ */
Review Comment:
Could you add [@since Struts
6.5.0](https://www.oracle.com/pl/technical-resources/articles/java/javadoc-tool.html#@since)?
Issue Time Tracking
---
Worklog Id: (was: 914318)
Time Spent: 50m (was: 40m)
> CSP interceptor only allows very limited configuration
> --
>
> Key: WW-5400
> URL: https://issues.apache.org/jira/browse/WW-5400
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
>Affects Versions: 6.3.0
>Reporter: Erica Kane
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> I have been trying to implement CSP on our website. The CSP interceptor
> provides an elegant solution with the and tags. However,
> I want to set my own base-uri. And perhaps make some other changes to the CSP
> headers.
> But these values are not accessible. Only the report-only and report-uri can
> be changed. Even if one is willing to work at the Action level and implement
> a new interface for all of them, I can't change the base-uri. I've seen
> people on Stack Overflow disable it for this reason. I want to use it, but
> could someone please explain how to set the base-uri globally? If not, I will
> likely have to make my own.
> P.S. I will update the documentation page. Nowhere in the description of the
> interceptor does it mention the script and link tags, and without those, it
> is useless!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914281&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914281 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 11/Apr/24 21:01 Start Date: 11/Apr/24 21:01 Worklog Time Spent: 10m Work Description: eschulma commented on PR #913: URL: https://github.com/apache/struts/pull/913#issuecomment-2050535381 Ok all good. Issue Time Tracking --- Worklog Id: (was: 914281) Time Spent: 40m (was: 0.5h) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 40m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914267&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914267 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 11/Apr/24 18:53 Start Date: 11/Apr/24 18:53 Worklog Time Spent: 10m Work Description: eschulma commented on PR #913: URL: https://github.com/apache/struts/pull/913#issuecomment-2050317405 Hold off a bit, I need to check something (this is what I get for implementing my own separate solution) Issue Time Tracking --- Worklog Id: (was: 914267) Time Spent: 0.5h (was: 20m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914207&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914207 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 11/Apr/24 15:03 Start Date: 11/Apr/24 15:03 Worklog Time Spent: 10m Work Description: eschulma commented on PR #913: URL: https://github.com/apache/struts/pull/913#issuecomment-2049907568 @lukaszlenart submitted per your request Issue Time Tracking --- Worklog Id: (was: 914207) Time Spent: 20m (was: 10m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 20m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914041&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914041 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 10/Apr/24 22:45 Start Date: 10/Apr/24 22:45 Worklog Time Spent: 10m Work Description: eschulma opened a new pull request, #913: URL: https://github.com/apache/struts/pull/913 Previously, it was impossible to set global options for the CSP interceptor. The only option was to have every action individually implement CspSettingsAware. To fix this, we add an interceptor parameter of defaultCspSettingsClassName. Values from this class will be used in the CSP header instead of DefaultCspSettings. Users may define their own custom class which implements CspSettings, and that will be the default for all actions that do not implement the CspSettingsAware interface. It is now possible to create this custom class by simply extending DefaultCspSettings. I have fixed a spelling error in DefaultCspSettings.java Issue Time Tracking --- Worklog Id: (was: 914041) Remaining Estimate: 0h Time Spent: 10m > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
